Tag: encryption

The FBI is struggling to decode private messages on phones and other mobile devices that could contain key criminal evidence, and the agency failed to access data more than half of the times it tried during the last fiscal year, FBI Director Christopher Wray told House lawmakers.

Wray will testify at the House Judiciary Committee Thursday morning on the wide range of issues the FBI faces. One of the issues hurting the FBI, he said, is the ability of criminals to “go dark,” or hide evidence electronically from authorities.

“The rapid pace of advances in mobile and other communication technologies continues to present a significant challenge to conducting lawful court-ordered access to digital information or evidence,” he said in his prepared remarks to the committee. “Unfortunately, there is a real and growing gap between law enforcement’s legal authority to access digital information and its technical ability to do so.”

Wray said criminals and terrorists are increasingly using these technologies. He added that the Islamic State is reaching potential recruits through encrypted messaging, which are difficult for the FBI to crack.

“If we cannot access this evidence, it will have ongoing, significant effects on our ability to identify, stop, and prosecute these offenders,” he said.

He noted that in the last fiscal year, the FBI was unable to access data on about 7,800 mobile devices, even though they had the legal authority to try. He said that was a little more than half of the mobile devices the FBI tried to access in fiscal year 2017.

Wray said the FBI tries to develop workarounds to get at the data, but doesn’t always succeed.

Wray also made it clear that the FBI is not asking for more legal authority to access mobile devices, but said, without being specific, that new ways must be found to let the FBI access this data.

“When changes in technology hinder law enforcement’s ability to exercise investigative tools and follow critical leads, those changes also hinder efforts to identify and stop criminals or terrorists,” he said.

He added that the FBI is “actively engaged” with companies to discuss the problem that “going dark” has on law enforcement, and the agency is working with academics and technologists to find “solutions to this problem.”

Wray is likely to be questioned on a wide range of topics at Thursday’s hearing, including new complaints from Republicans that Wray and other Justice Department officials have ignored requests for information about their actions in the Russia election meddling probe.

Republicans this week started writing a contempt resolution against Wray and others after the Justice Department failed to answer questions from lawmakers about why a top FBI agent was removed from the Russia probe. It was later discovered that the agent sympathized with Hillary Clinton and opposed then-presidential candidate Donald Trump.

US Deputy Attorney General, Rod Rosenstein, has decided to use the recent mass shooting at a Texas church to reiterate calls for encryption backdoors to help law enforcers.

The incident took place at the First Baptist Church in Sutherland Springs, killing at least 26 people.

Deceased suspect Devin Kelley’s mobile phone is now in the hands of investigators, but they can’t access it — a similar situation to the one following the mass shooting in San Bernardino which resulted in a court room standoff between Apple and the FBI.

It’s now widely understood that there’s no way for an Apple, Facebook or other tech provider to engineer backdoors in encrypted systems that would allow only police to access content in cases such as these, without putting the security of millions of law-abiding customers at risk.

However, that hasn’t prevented Rosenstein becoming the latest senior US government official to call on technology companies to implement backdoors.

“As a matter of fact, no reasonable person questions our right to access the phone. But the company that built it claims that it purposely designed the operating system so that the company cannot open the phone even with an order from a federal judge,” he told a meeting of local business leaders in Maryland.

“Maybe we eventually will find a way to access the data. But it costs a great deal of time and money. In some cases, it surely costs lives. That is a very high price to pay.”

For its part, Apple has maintained that it works closely with law enforcement every day, even providing training so that police better understand the devices and know how to quickly request information.

However, it is standing firm on the matter of backdoors, aware that breaking its own encrypted systems for US police would likely lead to a stream of requests from other regions including China.

It’s also been suggested that cyber-criminals or nation state actors could eventually get their hands on any backdoors, which would be catastrophic for Apple and its users.

Top10VPN.com head of research, Simon Migliano, called for cool heads on the issue.

“The US Deputy Attorney General bemoans ‘warrant-proof encryption’ but fails to understand that there is no other type of encryption. As all privacy and security experts agree, to undermine encryption with ‘backdoors’ is to open a Pandora’s Box that puts at risk the entire online – and therefore real-world – economy.

“End-to-end encryption secures our banking, online shopping and sensitive business activities. Any kind of ‘backdoor’ would fatally undermine security in these areas. As we learned to our cost with the leak of CIA tools earlier this year, once an exploit exists, it’s only a matter of time until it leaks and cybercriminals have yet another tool at their disposal.”

The head of the FBI has reignited the debate about technology companies continuing to protect customer privacy despite law enforcement having a search warrant.

The FBI says it hasn’t been able to retrieve data from nearly 7000 mobile phones in less than one year, as the US agency turns up the heat on the ongoing debate between tech companies and law enforcement officials.

FBI Director Christopher Wray says in the first 11 months of the fiscal year, US federal agents were blocked from accessing the content of 6900 mobile phones.

“To put it mildly, this is a huge, huge problem,” Wray said in a speech on Sunday at the International Association of Chiefs of Police conference in Philadelphia.

The FBI and other law enforcement officials have long complained about being unable to unlock and recover evidence from mobile phones and other devices seized from suspects even if they have a warrant. Tech firms maintain they must protect their customers’ privacy.

In 2016 the debate was on show when the Justice Department tried to force Apple to unlock an encrypted mobile phone used by a gunman in a terrorist attack in San Bernardino, California. The department eventually relented after the FBI said it paid an unidentified vendor who provided a tool to unlock the phone and no longer needed Apple’s assistance, avoiding a court showdown.

The Justice Department under US President Donald Trump has suggested it will be aggressive in seeking access to encrypted information from technology companies. But in a recent speech, Deputy Attorney General Rod Rosenstein stopped short of saying exactly what action it might take.

Your home Wi-Fi might not be as secure as you think. WPA2 — the de facto standard for Wi-Fi password security worldwide — may have been compromised, with huge ramifications for almost all of the Wi-Fi networks in our homes and businesses as well as for the networking companies that build them. Details are still sketchy as the story develops, but it’s looking like a new method called KRACK — for Key Reinstallation AttaCK — is responsible.

WPA stands for Wi-Fi Protected Access, but it might not be as protected as we’ve all been assuming. It looks like security researcher Mathy Vanhoef will present the (potentially) revelatory findings at around 10PM AEST Monday — although it’s been worked on for some time; Vanhoef first teased the revelations 49 days ago.

In the source code of a dormant website called Krack Attacks apparently belonging to Vanhoef, a description reads: “This website presents the Key Reinstallation Attack (KRACK). It breaks the WPA2 protocol by forcing nonce reuse in encryption algorithms used by Wi-Fi.” Vanhoef’s website also lists a paper to be released at CCS 2017 detailing the method for key reinstallation attacks, co-authored with security researcher Frank Piessens.

Part of the potential flaw in WPA could be that, the researchers have previously suggested in a 2016 paper, the random number generation used to create ‘group keys’ — the pre-shared encryption key shared on non-enterprise WPA/WPA2 wireless networks — isn’t random enough, and can be predicted.

With that prediction of not-so-random numbers in place, the researchers have demonstrated the ability to flood a network with authentication handshakes and determine a 128-bit WPA2 key through sheer volume of random number collection. Though it’s not yet clear, the re-use of a non-random key could allow an attacker to piggyback their way into a wireless network and then snoop on the data being transmitted within.

However, it may not be the apocalypse that some are suggesting. Given that the publication of this vulnerability has been withheld, a fix may already be in the works — or already completed — from major wireless vendors.

Most home and business wireless routers currently using WPA2 should be relatively easy to upgrade to address the potential security issue, but the millions of Internet of Things wireless devices already in the world will be hardest hit — devices that are un-upgradeable, but will still need to connect to insecure networks or using soon-to-be-deprecated methods. This could get messy.

Back in the day, the original Wired Equivalent Privacy (WEP) encryption standard was cracked to the point of off-the-shelf tools breaking it in as little as a minute.

If you go war-driving today around your city or town, it’s still likely you’ll find wireless networks ‘protected’ by WEP, because end users still don’t know that it’s unsafe. It was superseded by WPA and WPA2 in later years, but we might be on the search for a new Wi-Fi encryption method in the years to come: KRACK may mean that the fundamental privacy we expect of a network protected by WPA2 is no more.

SAN FRANCISCO — The FBI’s director says the agency is collecting data that he will present next year in hopes of sparking a national conversation about law enforcement’s increasing inability to access encrypted electronic devices.

Speaking on Friday at the American Bar Association conference in San Francisco, James Comey says the agency was unable to access 650 of 5,000 electronic devices investigators attempted to search over the last 10 months.

Comey says encryption technology makes it impossible in a growing number of cases to search electronic devices. He says it’s up to U.S. citizens to decide whether to modify the technology.

The FBI earlier this year engaged in a high-profile fight with Apple to access data from a locked iPhone used by a shooter in the San Bernardino, California, terrorist attack.

Google, known for its security practices, has finally brought HTTP Strict Transport Security (HSTS) to google.com to strengthen its data encryption. HSTS helps protect against eavesdroppers, man-in-the-middle attacks, and hijackers who attempt to spoof a trusted website. Chrome, Safari, and Internet Explorer all support HSTS.

“HSTS prevents people from accidentally navigating to HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs,” said Jay Brown, a senior technical program manager for security at Google, in a blog post. “Users might navigate to these HTTP URLs by manually typing a protocol-less or HTTP URL in the address bar, or by following HTTP links from other websites.”

Typically, implementing HSTS is a fairly simple process, Brown said. But, due to Google’s complex algorithms, the company had to address mixed content, bad HREFs, redirects to HTTP, and other issues like updating legacy services which could cause problems for users as they try to access the core domain.

Brown also noted that the team accidentally broke Google’s Santa Tracker just before Christmas last year during testing.

According to Google, about 80% of requests to its servers today use encrypted connections. The use of HSTS goes a step further by preventing users from mistakenly visiting unsafe URLs.

Certain domains, including Paypal and Twitter, will be automatically configured with HSTS to keep users safe, according to Google’s HSTS Preload List.

Google is now focused on increasing the “max-age,” or the duration that the header is active. The max-age is currently set to one day to help mitigate the risk of any potential problems with the rollout. “By increasing the max-age, however, we reduce the likelihood that an initial request to www.google.com happens over HTTP,” Brown said. “Over the next few months, we will ramp up the max-age of the header to at least one year.”

Increasing encryption

Google is currently working to implement HTTPS across all of its products. In March 2014, the company announced the use of HTTPS-only for Gmail.

Increasing encryption and security around its core products will be key for Google to remain in good standing with enterprise and consumer customers as concerns over cybersecurity ramp up across verticals.

Encryption remains at the forefront of many cybersecurity discussions, especially after last year’s terrorist attack in San Bernardino, CA, and the FBI’s dispute with Apple over access to the shooter’s iPhone.

In March, Google joined Facebook, Microsoft, and others who filed in support of Apple in its refusal of a court order forcing it to unlock the shooter’s iPhone for authorities.

The Federal Bureau of Investigations is holding ongoing talks with technology companies about a range of privacy and encryption issues, according to FBI director James Comey. The agency is also collecting statistics on the effect of encryption on its investigations.

“Encrypting data in transit helps keep our users and their data secure,” Brown said. “We’re excited to be implementing HSTS and will continue to extend it to more domains and Google products in the coming months.”

One would certainly hope so after the turmoil that has followed the release of thousands of DNC emails by Wikileaks. But Democratic lawmakers in the past have worked to weaken encryption standards, demanding backdoors that they say can be used by law enforcement authorities to track terrorists, but also leave computers vulnerable to hackers.
Consider CISA, a bill introduced to the Senate by California Democrat Dianne Feinstein. Despite near-unanimous expert testimony opposing the bill, along with a vocal public outcry, 30 Democratic senators voted in favor of passing the bill last year. This year, Feinstein coauthored the “Compliance with Court Orders Act of 2016” with Republican Senator Richard Burr, in the name of protecting America from terrorism following the FBI’s battle with Apple over decrypting the San Bernardino shooter’s iPhone.

As encryption expert Jonathan Zdziarski wrote following the announcement of the Feinstein-Burr bill, “The reality is that there is no possible way to comply with it without intentionally backdooring the encryption in every product that may be used in the United States.” While it’s still unclear how, exactly, hackers got into the DNC’s servers, Democrats now know, in the most personal way, the kinds of embarrassments that can result from encryption vulnerabilities.

The Democrats can blame Russia all they want. The fact of the matter is that stronger encryption, like the end-to-end encryption now standard in everything from iMessage to Whatsapp, continues to be the best defense against hackers.

Facebook has started to introduce a setting to its “Messenger” app that provides users with end-to-end encryption, meaning messages can only be read on the device to which they were sent.

The encrypted feature is currently only available in a beta form to a small number of users for testing, but it will become available to all of its estimated 900-million users by late summer or in the fall, the social media giant said.

The feature will be called “secret conversations”.

“That means the messages are intended just for you and the other person – not anyone else, including us,” Facebook announced in a blog post.

The feature will also allow users to set a timer, causing messages to expire after the allotted amount of time passes.

Facebook is the latest to join an ongoing trend of encryption among apps.

Back in April, Whatsapp, which is owned by Facebook and has more than a billion users, strengthened encryption settings so that messages were only visible on the sending and recipient devices.

Whatsapp had been providing limited encryption services since 2014.

The company says it is now using a powerful form of encryption to protect the security of photos, videos, group chats and voice calls in addition to the text messages sent by more than a billion users around the globe.

Controversy

Encryption has become a hotly debated subject, with some US authorities warning that criminals and armed groups can use it to hide their tracks.

“WhatsApp has always prioritised making your data and communication as secure as possible,” a blog post by WhatsApp co-founders Jan Koum and Brian Acton said, announcing the change at the time.

Like Facebook has until now, Google and Yahoo use less extensive encryption to protect emails and messages while they are in transit, to prevent outsiders from eavesdropping.

Apple uses end-to-end encryption for its iMessage service, but some experts say WhatsApp’s method may be more secure because it provides a security code that senders and recipients can use to verify a message came from someone they know – and not from a hacker posing as a friend.

The US government has been very vocal recently about how the increase in encryption on user devices is hampering their investigations. The reality is that according to a report from the Administrative Office of U.S. Courts, law enforcement with court-ordered wiretaps encountered fewer encrypted devices in 2015 than in 2014.

In regards to encrypted devices, the reports states: “The number of state wiretaps in which encryption was encountered decreased from 22 in 2014 to seven in 2015. In all of these wiretaps, officials were unable to decipher the plain text of the messages. Six federal wiretaps were reported as being encrypted in 2015, of which four could not be decrypted.”

This is out of 2,745 state and 1,403 federal for a grand total of 4,148 wiretaps, an increase of 17 percent over 2014. So while surveillance increased, the amount of times law enforcement encountered encryption decreased.

Earlier this year the Department of Justice and FBI were locked in a court battle with Apple over an encrypted iPhone used by San Bernardino shooter Syed Rizwan Farook. The government eventually dropped the case after finding a third party to help it bypass the phone’s security.

But it started a national debate about personal devices and encryption. Tech companies want their customers to be secure while law enforcement want backdoors or keys to encrypted devices for investigations. But it looks like when it comes to wiretaps, encryption isn’t as big a problem as many would suspect.

WhatsApp’s end-to-end encryption might still be a contentious issue, but on Wednesday the Supreme Court refused to allow a PIL seeking a ban on the popular app and similar messenger services.

The PIL, filed by Gurugram-based RTI activist Sudhir Yadav, said these apps have complete encryption, which poses a threat to the country’s security.

A bench of Chief Justice T S Thakur and Justice A M Khanwilkar rejected the PIL, suggesting Yadav could approach the government or Telecom Regulatory Authority of India (TRAI) with his plea.
But Yadav said his application to the department of telecommunication and the government got the response that they did not possess information in this regard. The petitioner contended that end-to-end 256-bit encryption introduced by WhatsApp in April made all messages, chat, call, video, images and documents end-to-end encrypted, and thus it was impossible for security agencies to decode these.

According to him, this could be national security threat for India, as agencies will not be able to track terrorists, who can plan attacks without worrying that the government can access their messages. The RTI petitioner sought to maintain a balance where police agencies can get lawful access to data while keeping information private.

So what is WhatsApp’s end-to-end encryption and why has it become such an issue? For starters, WhatsApp’s end-to-end encryption ensures that a user’s messages, videos, photos sent over the app, can’t be read by anyone else — not WhatsApp, not cyber-criminals, not law-enforcement agencies. Even calls and group chats are end-to-end encrypted.

End-to-end encryption means encryption at the device level and thus your chats, messages, videos are not stored on WhatsApp’s servers at all. The only way to access this data is if your device is compromised and the messages have not been deleted. This encryption is designed to keep out man-in-the-middle attacks.

Given WhatsApp has over a billion users, this end-to-end encryption is a big deal. Let’s not forget that in Brazil, a senior WhatsApp executive was jailed because the company did not hand over data in a court case. WhatsApp claimed the data is encrypted and it does not have access to it.

WhatsApp co-founder Jan Koum, in fact, is known for dedication to user privacy and this is also one of the reasons the app has never sold ads. When WhatsApp announced the end-to-end encryption, Koum wrote, “People deserve security. It makes it possible for us to connect with our loved ones. It gives us the confidence to speak our minds. It allows us to communicate sensitive information with colleagues, friends, and others. We’re glad to do our part in keeping people’s information out of the hands of hackers and cyber-criminals.”

WhatsApp has relied on the “The Signal Protocol”, designed by Open Whisper Systems for its end-to-end encryption. What is also significant is the feature is enabled by default on WhatsApp, unlike apps like Telegram where you have to go into a secret chat mode for end-to-end encrypted chats.

WhatsApp is also one of the most popular apps in India. In fact, research has consistently shown it is one of most used apps after Facebook, and it is common for most people in India to be part of various groups on the service. Family, School, College friends, even office groups are present on WhatsApp. End-to-end encryption means all of this data is secure, and can’t be accessed by third-parties including government agencies.

For now the Courts have refused to go for a ban on WhatsApp, and instead directed Yadav towards the government. India per se doesn’t have a law on what kind of encryption third-party apps can used.

As we had noted earlier, the 40-bit encryption limit, which is too low given the current times, is something ISPs and TSPs have to stick with and doesn’t apply to apps.

Until India comes up with an encryption law, WhatsApp remains legal and we’ll have to wait and watch how the encryption versus security agency debate plays out in the country.